fix: resolve SonarQube vulnerabilities and security hotspots

[devin-ai-integration]

Summary

Addresses all active vulnerabilities, security hotspots, and bugs identified by a SonarQube scan:

• Hard-coded JWT token (BLOCKER): Replaced the well-known jwt.io example token in jwt.service.spec.ts with a non-secret test fixture (base64("testHeader").base64("testPayload").base64("testSignature"))
• Missing SRI on CDN resources (HOTSPOT): Added integrity + crossorigin="anonymous" to the Ionicons CSS link; added crossorigin="anonymous" to Google Fonts (SRI not feasible since Google Fonts returns user-agent-specific CSS)
• Protocol-relative URLs: Changed // to explicit https:// for both CDN links in index.html
• Missing lang attribute (BUG): Added lang="en" to <html> element
• Missing keyboard handler (BUG): Added keydown.enter/keydown.space handlers, tabindex="0", role="button", and aria-label to the tag-removal <i> element in the editor
• Swallowed exception (CODE SMELL): Refactored try/catch in user.service.spec.ts to use await expect(promise).rejects.toThrow()

All 180 unit tests pass after these changes.

Review & Testing Checklist for Human

• Verify the Ionicons SRI hash is correct — if sha384-4r9SMzlCiUSd92w9v1wROFY7DlBc5sDYaEBhcCJR7Pm2nuzIIGKVRtYWlf6w+GG4 is wrong, all icons will break since the browser will refuse to load the CSS. Load the app and confirm icons render correctly.
• Confirm Google Fonts still loads — crossorigin="anonymous" was added without integrity. Verify fonts display correctly and consider whether self-hosting would be preferred to fully resolve the SonarQube hotspot.
• Test keyboard accessibility on tag removal — In the article editor, add tags and verify you can focus and remove them using Enter/Space keys. Consider whether a semantic <button> element would be more appropriate than <i role="button">.
• Verify the user.service.spec.ts refactor — The destroyToken assertion moved from inside a catch block to after rejects.toThrow(). Confirm this still validates the intended error-handling behavior.

Notes

• Google Fonts cannot use SRI because its CSS response varies by browser user-agent. SonarQube may continue to flag this as a security hotspot — it would need to be marked as "Won't Fix" or the fonts would need to be self-hosted.
• The replacement JWT token in the test is not a valid signed JWT, but the test only verifies that saveToken persists the value to localStorage, so format validity isn't required.

Link to Devin session: https://app.devin.ai/sessions/20d8e15a3f804e40a5c4dbc98b93deb1
Requested by: @SachetCognition

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

End-to-End Test Results

Ran the app locally on localhost:4200 and tested all UI-visible vulnerability fixes end-to-end.

#	Test	Result
1	lang="en" attribute on <html> element	PASSED
2	Ionicons CSS loads with SRI integrity hash	PASSED
3	Google Fonts loads with crossorigin + HTTPS	PASSED
4	Keyboard tag removal via Enter + Space keys	PASSED
5	No visual regressions across pages	PASSED

All 5 tests passed.

Test 4: Keyboard accessibility on tag removal (most critical change)

1. Added two tags in the editor ("testtag1", "testtag2")
2. Verified ARIA attributes: role="button", tabindex="0", aria-label="Remove tag {name}"
3. Tab to first close icon → focus ring visible → Enter → tag removed
4. Tab to second close icon → Space → tag removed
5. Both keyboard methods work correctly

Before (2 tags with focus on close icon)	After Enter key (testtag1 removed)	After Space key (all tags removed)

Tests 1-3: HTML attributes verified via browser console

• lang attribute: document.documentElement.lang returns "en"
• Ionicons SRI: integrity="sha384-4r9SMzlCiUSd92w9v1wROFY7DlBc5sDYaEBhcCJR7Pm2nuzIIGKVRtYWlf6w+GG4", crossorigin="anonymous", icons render correctly
• Google Fonts: crossorigin="anonymous", https:// protocol, fonts render correctly (Titillium Web, Source Sans Pro)

Test 5: Visual regression check

Navigated home page and article detail page. Icons (Ionicons), fonts (Google Fonts), and layout all render correctly with no regressions.

Non-UI changes (VULN-1: hard-coded JWT, SMELL-1: swallowed exception) validated by 180/180 unit tests passing.

Devin session